[Bro-Dev] Bro HTTP midstream inspection

Stephen Baker sbaker.inbox at gmail.com
Tue Feb 21 13:18:33 PST 2017


When running Bro, I see a lot of midstream sessions due to long lived TCP
connections that have connected before starting Bro.  The Bro conn state is
correct "OTH" but I would like to inspect the streams that are in
progress.  Is there a recommended way to process midstream TCP with Bro?

For a test I modified HTTP_Analyzer::DeliverStream to allow midsteam

  if ( TCP() && TCP()->IsPartial() )
- return;
+ {
+ if ( allow_midstream_pickup )
+ {
+ Weird("Processing in midstream_client_HTTP_data");
+ }
+ else
+ {
+ return;
+ }
+ }

Is there any issues with a change similar to this for HTTP?  I would expect
that not all HTTP logs would be properly filled out for a connection that
was already established and possible some weird log entries about the http
headers. The changes does allow the logging of HTTP transactions on
existing TCP connection with no issues so far doing testing.  I just want
to make sure that a better way to deal with existing connections or reasons
why Bro should not look at HTTP in midstream.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20170221/807891a9/attachment.html 

More information about the bro-dev mailing list